koliveira15 / nx-sonarqube Goto Github PK

• One serve command to watch both docs site and build tools script
• Cache build docs task
• sort schema properties by required then alphabetical

I really like this plugin,

I think creating a generator that can activate coverage reports in a target and all its dependant libraries.

This could also be then called in the init generator also to as an option. This will then ensure that all tests are configured also.

This should work for both vite and jest especially when #62 is introduced for #54.

Create bugfix issue template

utils.ts is too large. break the file up in logical parts (dep-graph, test-runners, scan, etc)

It seems that v2.2.0 still relies on nx 15.

e.g. in node_modules/@koliveira15/nx-sonarqube/src/executors/scan/executor.js we can see that the code still requires @nrwl/devkit (nx <16 style) instead of @nx/devkit

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const tslib_1 = require("tslib");
const devkit_1 = require("@nrwl/devkit"); // <----------- 
const utils_1 = require("./utils/utils");

This prevents any project (or at least ours :D) that uses nx 16 to use this dependency.

It seems the issue has been solved by this commit a few days ago, whereas the latest publish to npm is roughly one month old. I assume therefore that just publishing to npm would solve the issue for dependant projects.

Thank you very much, feel free to write me if you need more info, or if I can support you in any way :)

Deploy docs site to GitHub pages

AC1: Workflow
Given a branch is created
When I push code to the branch
Then the CI workflow executes
And build, lint, test is executed
And the Nx Cloud report is generated
And the status check is set

Create feature request issue template

I am not quite sure if it is a bug or an error on my side, but I will just share my experience.

I have structured my app completly as library components, but grouped app specfic components in a folder with the name of the app like this:
libs/appName/home/feature/lib

it includes all relevant sources, but tells me:
"Skipping appName as it does not have a test target"

Is that an error on my side, or might that be a problem in the plugin? If you need any more information let me know.

It is not clear how users should override the SONAR_SOURCES / sonar.sources value, or even how this is set internally within nx-sonarqube.

Issue 1
The docs allow an "extra" property:

A key value pair for any extra sonar variable that is not included in the list above

that can be anything described in the sonar analysis scope. However, this is actually overwritten by custom logic in the plugin 😿.
Request: Could you make it clear in the docs that this property can not be set via extras? Note: it can be overwritten by an env var, but I can not leverage this for my use-case because we run many nx targets together.

Issue 2
Additionally, my local scans never worked. When I tried to find out why, I see that this library depends on an optional property from the nx project.json. This assumes that all consumers set this value (which is not true).
Request: Even if this approach using sourceRoot remains, it would be great to print an error to the console and fail the scan if this value is not set.

Thanks ❤️ (and awesome plugin 🎉 )

As suggested by @C0ZEN to make a seperate PR. I am opening this issue to track seperately

          Since it's not a change coming from this PR, I suggest opening another — dedicated — PR to tackle this.

Originally posted by @C0ZEN in #62 (comment)

While running nx run my-app:sonar it only includes libs which are direct dependencies of my-app.

For example if my-app has 2 libs lib-a and lib-b which are directly imported in my-app the command will only detect these 2 libs.
If these two libs further has dependencies scanner is not able to include them as dependent to analyze code. It should scan them too as they are also being used as dependency indirectly by my-app.

In actual application I have configured test to run with deps when I'm running nx test my-app, with it shows 98 deps.

But with sonar I can see it only detect 32 direct Deps. Not detecting libs which are dependent of other libs which are not direct dependent.

```

nx : 14.1.9
@nrwl/angular : 14.1.9
@nrwl/cypress : 14.1.9
@nrwl/detox : Not Found
@nrwl/devkit : 14.1.9
@nrwl/eslint-plugin-nx : 14.1.9
@nrwl/express : Not Found
@nrwl/jest : 14.1.9
@nrwl/js : Not Found
@nrwl/linter : 14.1.9
@nrwl/nest : Not Found
@nrwl/next : Not Found
@nrwl/node : Not Found
@nrwl/nx-cloud : Not Found
@nrwl/nx-plugin : Not Found
@nrwl/react : Not Found
@nrwl/react-native : Not Found
@nrwl/schematics : Not Found
@nrwl/storybook : 14.1.9
@nrwl/web : Not Found
@nrwl/workspace : 14.1.9
typescript : 4.6.3

Community plugins:
@ngrx/effects: 13.1.0
@ngrx/entity: 13.1.0
@ngrx/router-store: 13.1.0
@ngrx/store: 13.1.0
rxjs: 6.6.7
@ngrx/schematics: 13.1.0
@ngrx/store-devtools: 13.1.0

Hey,

i want to override the tsconfigPath for each app. When I set sonar.typescript.tsconfigPath in the "extra" key of the config it will always use the tsconfig.base.json

here you explicit use the base config. Is there any reason why you choose to not let that variable be customized?

The current implementation allows the user a select variables to be passed to the scanner. This is a problem is the scanner has a plethora of variables that needs to be defined for different cases.

This PR allows the user add extra options via an extra object in the project json or via environment variables.

Run e2e test against the repo's sonar rather than dynamically creating a workspace for it

In azure devops, a detached head is created, forcing us to do this with nx:

- script: yarn nx affected --base=$(BASE_SHA) --head=$(HEAD_SHA) --target=sonar --parallel=1 env: SONAR_TOKEN: $(SONAR_TOKEN)

When we turn branches: true, it only ever shows 'HEAD' in sonarqube as a result. Using SONAR_BRANCH also does not work because sonar.branch is deprecated and we have to use sonar.branch.name

AC1: E2E
Given I have access to the repo
When I push changes
Then e2e tests are executed in CI

Sonar provides the ability to Narrow the Focus by setting scope for source and test paths. This helps, for example, avoid including test files in coverage reports.

If your spec files live along-side the files they test, you may want to set these params:

'sonar.tests': paths.sources()
'sonar.test.inclusions': '**/*.spec.ts'

Adding testInclusions as a string param would be straight forward. Assuming sonar.tests is always the same as sources might not serve every use case. An alternative approach could be:

interface ScanExecutorSchema {
  // existing properties not included for brevity
  testInclusions?: string;
  tests?: string;
  testsPathsFromSources?: boolean;
}

... and then determine what to send to the scanner like:

'sonar.tests': options.testPathsFromSources ? paths.sources : options.tests,
'sonar.test.inclusions': options.testInclusions

Firstly, this plugin looks awesome, I'm running some tests to use it in my established monorepo to deal with the exact scenario this plugin is meant to handle, as we currently have all our code under one big sonarqube umbrella.

But more importantly, we use the OWASP Dependency Check tool in our CI, and to pass that data to SonarQube it requires a couple extra arguments, like sonar.dependencyCheck.jsonReportPath. Is there a good way to add those options? Should I look at maybe submitting a PR that can add that ability?

When upgrade to Nx 17, npm is not able to resolve peer dependencies properly

Could not resolve dependency:
peer @nx/devkit@"16.7.4" from @koliveira15/[email protected]
node_modules/@koliveira15/nx-sonarqube
dev @koliveira15/nx-sonarqube@"3.2.0" from the root project

Conflicting peer dependency: @nx/[email protected]
node_modules/@nx/devkit
peer @nx/devkit@"16.7.4" from @koliveira15/[email protected]
node_modules/@koliveira15/nx-sonarqube
dev @koliveira15/nx-sonarqube@"3.2.0" from the root project

We are building a Design System, and we would like to see Sonar Analyses for each of our lib independently.
At the moment, if A is dependent of B, I will have the bugs of B and A inside the analytics.

For example:

flowchart LR
  subgraph libraries[nx run A:sonar]
  B[Library B containing 5 bugs] -.-> A[Library A containing 1 bug]
  end
  libraries --> Result[6 bugs in total]

What I would like:

flowchart LR
  subgraph libA[nx run A:sonar]
  A[Library A containing 1 bug]
  end
  subgraph libB[nx run B:sonar]
  B[Library B containing 5 bugs]
  end
  libA --> ResultA[1 bug in total]
  libB --> ResultB[5 bugs in total]

Do you think it would be possible to provide an option for this use case ? 😄

Thanks in advance and have a nice day !

Hello,

When I try to run the plugin using nx run-many, the plugin try to find the package.json in the dỉectory of each application end raise an error ENOENT: no such file or directory since there is only project.json

It is not make the command failed but seem annoying when I try to read the console log. Could you check this please?

Thank you

I tried to run this lib on my nodejs nx project and I am getting, Cannot find configuration for XXX
I went to the code and found this code section:

function readProjectConfiguration(tree, projectName) {
    const allProjects = readAndCombineAllProjectConfigurations(tree);
    if (!allProjects[projectName]) {
        // temporary polyfill to make sure our generators work for existing angularcli workspaces
        if (tree.exists('angular.json')) {
            const angularJson = toNewFormat((0, json_1.readJson)(tree, 'angular.json'));
            if (angularJson.projects[projectName])
                return angularJson.projects[projectName];
        }
        throw new Error(`Cannot find configuration for '${projectName}'`);
    }
    return allProjects[projectName];
}

Does only angular supported?

This plugin doesn't have an Nx version listed in the Nx Plugin Registry because the plugin doesn't include @nx/devkit as a dependency. Could you please release a version that fixes that?

Thanks,
Isaac (Nx Team)

I'm using this scan executer in Gitlab CI where its not able to recognize the branch names.Please refer the image.

Update readme with proper links

With nx Crystals, NX changed the way jest is called. (https://nx.dev/concepts/inferred-tasks)

If you don't have a test target in your project.json but a jest config in the project, nx:run-commands is used as an executor instead of @nx/jest:jest,

e.g.:

{
   outputs: [ '{workspaceRoot}\\coverage\\libs\\shared\\entities' ],
   executor: 'nx:run-commands',
   inputs: [ 'default', '^production' ],
   cache: true,
   options: { cwd: 'libs/shared/entities', command: 'jest' },
   configurations: {}
}

Also the options for the testTarget will be different

the options are:

{ cwd: 'libs/shared/entities', command: 'jest' }

My workaround is to force @nx/jest:jest as the executor in all projects and to configure it under targetDefaults in nx.json like in NX < 18

This issue won't affect old workspaces but definetly new or old ones opting in for nx plugins to infer tasks

Would it be possible to make it work with Vitest as well?

Hi,

Currently running the scanner on version 0.3.5, however the scanner currently includes twice paths in the project configuration.

Here's the project configuration:

"options": {
        "name": "shared-libs",
        "hostUrl": "http://localhost:9000",
        "projectKey": "shared-backend",
        "skipTargetDefaults": false,
        "branches": false,
        "qualityGate": true,
        "qualityGateTimeout": "300",
        "skipImplicitDeps": true,
        "extra": {
          "sonar.javascript.lcov.reportPaths": "libs/shared/coverage/lcov.info",
          "sonar.testExecutionReportPaths": "libs/shared/reports/test-sonar-report.xml",
          "sonar.dependencyCheck.htmlReportPath": "dependency-check-report.html",
          "sonar.externalIssuesReportPaths": "image-scan-sonar-report.json",
          "sonar.test.inclusions": "libs/shared/src/**/*.spec.ts"
        }
      }

Command run on one the mono-repo sub-projects: npx nx run shared:sonar

Here's the error:

INFO: Load quality profiles
INFO: Load quality profiles (done) | time=30ms
INFO: Load active rules
INFO: Load active rules (done) | time=408ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: **/*.spec.ts
INFO:   Included tests: **/*.spec.ts
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 1.789s
INFO: Final Memory: 12M/68M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
ERROR: File libs/shared/src/dto/index.ts can't be indexed twice. Please check that inclusion/exclusion patterns produce disjoint sets for main and test files

Would you see any missing configuration or adjustments are missing here ? Tried setting the testInclusions however it also get doubled in the project excluded sources, ie. set testInclusions to libs/shared/src/**/*.spec.ts, it gets duplicated in excluded sources as shown below:

"sonar": {
      "executor": "@koliveira15/nx-sonarqube:scan",
      "options": {
        "name": "shared-libs",
        "hostUrl": "http://localhost:9000",
        "projectKey": "ATC-shared-backend",
        "skipTargetDefaults": false,
        "branches": false,
        "qualityGate": true,
        "qualityGateTimeout": "300",
        "skipImplicitDeps": true,
        "testInclusions":"libs/shared/src/**/*.spec.ts",
        "extra": {
          "sonar.javascript.lcov.reportPaths": "libs/shared/coverage/lcov.info",
          "sonar.testExecutionReportPaths": "libs/shared/reports/test-sonar-report.xml",
          "sonar.dependencyCheck.htmlReportPath": "dependency-check-report.html",
          "sonar.externalIssuesReportPaths": "image-scan-sonar-report.json",
          "sonar.test.inclusions": "libs/shared/src/**/*.spec.ts"
        }
      }
    }

Error:

INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: libs/shared/src/**/*.spec.ts
INFO:   Included tests: libs/shared/src/**/*.spec.ts
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------

The current implementation of the plugin detects jest config files defined in the project and tries to parse their coverageDirectory to add any coverage files in these directory. However, jest config is not the only place that could have the coverage directory. Nx allows you to define some test options, including the coverage directory.

The PR adds some changes that allows the plugin to detect the coverage directory in the project json and uses it to add coverage files to the sonar scan.

Implement nx release into workflow for publishing and release notes

https://nx.dev/nx-api/nx/documents/release#release

Implement Astro & Starlight for documentation site with Diataxis format

I started to handle and play with the NX Sonarqube plugin and I found the following error message while using it on a WSL2 instance with the following configuration :

• npm -v : 9.1.2
• node -v : v16.17.1
• project.json file

{
  "name": "my-lib",
  "$schema": "../../../node_modules/nx/schemas/project-schema.json",
  "sourceRoot": "libs/my-lib/src",
  "prefix": "gz",
  "tags": ["scope:shared", "type:utility"],
  "projectType": "library",
  "targets": {
    "build": {
      "executor": "@nx/angular:package",
      "outputs": ["{workspaceRoot}/dist/{projectRoot}"],
      "options": {
        "project": "libs/my-lib/ng-package.json"
      },
      "configurations": {
        "production": {
          "tsConfig": "libs/my-lib/tsconfig.lib.prod.json"
        },
        "development": {
          "tsConfig": "libs/my-lib/tsconfig.lib.json"
        }
      },
      "defaultConfiguration": "production"
    },
    "test": {
      "executor": "@nx/jest:jest",
      "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
      "options": {
        "jestConfig": "libs/my-lib/jest.config.ts",
        "passWithNoTests": true
      },
      "configurations": {
        "ci": {
          "ci": true,
          "codeCoverage": true
        }
      }
    },
    "lint": {
      "executor": "@nx/linter:eslint",
      "outputs": ["{options.outputFile}"],
      "options": {
        "lintFilePatterns": ["libs/my-lib/**/*.ts", "libs/my-lib/**/*.html"]
      }
    },
    "sonar": {
      "executor": "@koliveira15/nx-sonarqube:scan",
      "options": {
        "hostUrl": "https://localhost:9000/sonar",
        "login": "*************",
        "exclusions": "**/*.spec.ts,**/.storybook/**",
        "name": "my-lib",
        "projectKey": "library:my-lib",
        "projectName": "my-lib",
        "testInclusions": "/*.spec.ts",
        "extra": "SONAR_LOG_LEVEL=DEBUG,SONAR_SOURCES=libs/my-lib/src",
        "skipTargetDefaults": false,
        "branches": false,
        "qualityGate": true,
        "qualityGateTimeout": "300",
        "skipImplicitDeps": false
      }
    }
  }
}

When I run the following command :

export PROJECT_NAME=my-lib
npx nx g @koliveira15/nx-sonarqube:config --hostUrl ${SONAR_HOST_URL} --login ${SONAR_TOKEN} --exclusions **/*.spec.ts,**/.storybook/** --name ${PROJECT_NAME} --projectKey ${NX_PROJECT_TYPE}:${PROJECT_NAME} --projectName " ${PROJECT_NAME}" --testInclusions /*.spec.ts --extra SONAR_LOG_LEVEL=DEBUG,SONAR_SOURCES=libs/mylib/src

The Sonarqube scan failed because he "Cannot read properties of undefined (reading 'sourceRoot')
The SonarQube scan failed for project 'my-lib'. Error: TypeError: Cannot read properties of undefined (reading 'sourceRoot')

Do you have any idea why he can't find the property sourceRoot which is defined in the project.json of the library.

Kind regards,
Thomas

Document how to pass Sonar env variables to the scanner

• Contribute to plugin
• Contribute to docs
• Submitting PRs
• Submitting Bug Repos
• Submitting Features
• Commit message guidelines
• add checkbox to PR Checklist template

https://www.conventionalcommits.org/en/v1.0.0/#summary

We're receiving a warning from Sonarcloud that JDK 11 is deprecated for scanner environments

This seems to have been addressed in sonarqube-scanner v3.1.0.

SonarSource/sonar-scanner-npm#53

Would be great to bump the dependency to fix the issue

Thanks

I have an issue with scanning my nx project. Project has following structure:

nx-sonarqube library console logs "Included sources" and in this log there are listed libraries "apps/app1, libs/details-1, libs/details-2" but there is no "libs/list-1" and "libs/list-2".
"libs/list-1" and "libs/list-2" are lazy loaded by angular router. When I move this lazy loading lists to eager nx-sonarqube properrly logs "libs/list-1" and "libs/list-2" in "Included sources".

Which scope/s are relevant/related to the feature request?

@koliveira15/nx-sonarqube

Information

SonarCloud supports external analyzers report files such as eslint, stylelint, etc...
Here is the documentation related to external analyzers: https://docs.sonarsource.com/sonarcloud/enriching/external-analyzer-reports/

Describe any alternatives/workarounds you're currently using

Amongst all the supported analyzers, I think we can add eslint and stylelint at first.
A boolean option should be added for each external analyzer.
The executor should look for the JSON report output file in the target configuration (lint for eslint and stylelint for stylelint).

I would be willing to submit a PR to provide this feature

• Yes
• No

I'll try to provide a PR for this feature but it may take a while since I don't have a lot of available time.

sourceRoot is an optional property for project configurations

https://nx.dev/nx-api/devkit/documents/ProjectConfiguration#sourceroot